Proposed fixes


For SSH-1, pad username, password with NULs

assumes C strings at the server end - not a part of the protocol

From Simon Tatham: hide real password message among multiple SSH_MSG_IGNORE messages of increasing sizes

about 1 KB overhead to hide passwords up to 32 characters